PDA

View Full Version : Checking if a user is still logged in: HELP!


FethrdWlf
04-18-2011, 08:14 PM
I'm trying to find out how to check if a user has previously logged into my site. Pretty much it's kinda' like Twitter (http://www.twitter.com). When you first go to the website, if you will be sent to a homepage for people who haven't signed up, or who need to login. Then, once they login, if they check a "Remember Me" box, then they'll be automatically logged in.

How can I do that?:-) :confused:

edbr
04-19-2011, 01:04 AM
cookies http://www.w3schools.com/PHP/php_cookies.asp

FethrdWlf
04-19-2011, 02:21 AM
Yes! Thank you. So, when a user logs in, I should set a cookie to represent that they logged in. I can just set the expiry time to - i don't know - 31 days? That should work.

edbr
04-19-2011, 02:43 AM
yes you could

ranjan
04-19-2011, 07:43 PM
In your database have your cookie associated with clients IP address and check for this "IP Lock" before starting a "logged in" session with your client

Make sure you have long, unique, hard-to-guess key cookie and store this in the database along with the user id. For this consider one of the crypto extensions available http://www.php.net/manual/en/refs.crypto.php

FethrdWlf
04-20-2011, 12:02 AM
In your database have your cookie associated with clients IP address and check for this "IP Lock" before starting a "logged in" session with your client

Make sure you have long, unique, hard-to-guess key cookie and store this in the database along with the user id. For this consider one of the crypto extensions available http://www.php.net/manual/en/refs.crypto.php

Could you elaborate?

ranjan
04-20-2011, 02:32 AM
Not secure scenario:

1. User logs in for the first time, you set a cookie on his/her machine.
2. On the next session user tries to access restricted page, you check if cookie exists and if it does you bypass login and forward them to restricted page
3. If not show login page

Secure scenario:

1. User logs in, you set cookie, send that cookie + clients ip address to your database
2. Next session, get the cookie and check if it exists in you database, if it does compare the stored IP from step 1 to the clients current IP. If that checks out then send him to restricted page.
3. If not show login page

For more details

http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

The above tutorial also uses md5 crypto to store password

FethrdWlf
04-23-2011, 01:29 AM
Not secure scenario:

1. User logs in for the first time, you set a cookie on his/her machine.
2. On the next session user tries to access restricted page, you check if cookie exists and if it does you bypass login and forward them to restricted page
3. If not show login page

Secure scenario:

1. User logs in, you set cookie, send that cookie + clients ip address to your database
2. Next session, get the cookie and check if it exists in you database, if it does compare the stored IP from step 1 to the clients current IP. If that checks out then send him to restricted page.
3. If not show login page

For more details

http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

The above tutorial also uses md5 crypto to store password

That's good advice, thank you!